UNDERSTANDING RISK ASSESSMENT AND MITIGATION BY FINANCIAL INSTITUTIONS With respect to financial institutions, the key AML/CFT requirements are contained in Recommendation 1 (risk assessment), in Immediate Objective 4 for effectiveness (understanding and mitigating risks), and in other more specific risk-based obligations such as Recommendation 10 on customer due diligence and Recommendation 18 on AML/CFT policies, procedures, and controls, including group-wide programs. This appendix deals in more detail with a bank’s obligations because the supervisor needs to have a thorough understanding of those obligations to enable it to conduct effective supervision. In addition to the FATF recommendations, the Basel Core Principles of Effective Banking Supervision and the “Guidelines on Sound Management of Risk Related to Money Laundering and Financing of Terrorism” of the Basel Committee on Banking Supervision (BCBS) require banks to have adequate policies and processes, including customer due diligence rules, to prevent them from being used for criminal activities (FATF 2020). This requirement should be a specific part of a bank’s general obligation to have sound risk management programs in place to address all kinds of risks, including ML and TF risks. In this context, having “adequate policies and processes” requires other measures in addition to the implementation of effective customer due diligence rules. These measures should also be risk based and informed by a bank’s own assessment of its ML/TF risks. From the perspective of individual financial institutions, the key requirement is to identify and assess the ML/TF threats inherent in their business activities, the ML/TF vulnerabilities in their processes, and the level of AML/CFT controls. Financial institutions should assess the inherent risks of their (a) customer base, (b) products and services, (c) transactions, (d) geographic areas in which they operate or where their customers are located, and (e) delivery or distribution channels for their products, services, and transactions. These risk factors are not exhaustive, and financial institutions can assess additional risk factors depending on, among others, the risk and context of the jurisdiction and sector or the particular business models of individual institutions. In conducting a risk assessment, financial institutions should be free to determine how they do this, as long as the approach is coherent, consistent, and transparent to the supervisor. However, a common approach is to assess the inherent ML/TF risks related to the risk factors and the adequacy of the AML/CFT controls, based on quantitative data and qualitative information. Inherent risks cannot be mitigated entirely, and the risks that remain after AML/CFT controls have been applied are termed residual risks. If an institution’s residual risks fall outside its risk appetite, additional controls need to be implemented to ensure that the level of ML/TF risk is acceptable to the institution. The second key requirement of a risk-based approach is for financial institutions to mitigate the risks that have been identified and assessed. Financial institutions therefore need to have AML/CFT policies, procedures, and controls to mitigate those risks and comply with their legal and regulatory obligations. Such measures should be proportional to and consistent with the level of risks assessed, applying enhanced measures where higher risks have been identified and applying simplified measures where risks are lower. Enhanced measures mean that the scope, intensity, and frequency of controls should be proportionately stronger to mitigate higher risks. Unless circumstances call for supervisors to set out specific prescriptions, they should not prescribe the specific measures to be applied, except for those cases where enhanced and simplified measures are already prescribed by law or regulation. Financial institutions should have flexibility in determining the most effective way to assess and manage their risks, but decisions should be documented and financial institutions should be able to demonstrate to a supervisor how they came 166
PREVENTING MONEY LAUNDERING AND TERRORIST FINANCING
